I've got a Windows Server 2019 domain controller with a GPO applying auditing on logon events. RSOP shows it is applied, however, if I look at the event logs, the moment it applies I can see that it is removed by SYSTEM. Why is this happening? How do I force auditing on this event?
Asked
Active
Viewed 984 times
1 Answers
0
I found the answer in this question but the link is dead and in an effort for future users I will post the answer I found.
So there was an interesting case which floated my way the other day.
The Audit policies in the domain controllers policy was set to the following, and there >were no other policies blocking or changing these.
---image of audit directory service access success GPO result
After a policy update the following events were logged:
---image of auditing success removed event summary
In addition, auditpol /get /category:* simply would show no auditing after policy update:
---image of cmd prompt showing no auditing
So, where was this crazy thing being overwritten? It wasn’t in the policies, since we checked all of them carefully for inheritance etc..
Looking at where a client actually stores audit policy may give us a clue (C:\Windows\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv and C:\Windows\security)
But there was nothing there of interest. So, the last place to look was the sysvol data:
M:\SYSVOL\domain\Policies{CEF3323C-FD89-4C03-9410-18F7A4922E5A}\Machine\microsoft\windows nt\Audit
Aha! Under here was the .CSV file with the headings - but no configuration data in it!
--image of the csv file
We removed this file and now audit policies flowed properly to the DCs and audit event were generated.
Odd. It turns out that they had applied the policies via a GPOBackup and perhaps something had occurred prior to the backup.
Anyway – hope it helps someone someday
Author: Steve Patrick (spat)
Here is a link to the archive of the article
Thanks Steve, it helped me 9 years later.
user568733
- 1
- 1